registry  /  @aonunited/angular  /  99.0.1

@aonunited/angular@99.0.1

OSV Malicious Advisory

scanned 14d ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-5150 confirms this npm version as malicious. On `npm install`, the package's preinstall script (preinstall.js) collects the installer's hostname, OS username, current working directory, and a timestamp, then sends them to two attacker-style out-of-band endpoints: a DNS lookup of a subdomain under `oast.fun` (an Interactsh-style callback service) constructed from the installer's identifiers, and an HTTPS POST of a JSON payload to a `webhook.site` URL...

Advisory
MAL-2026-5150
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @aonunited/angular (npm)
Details
On `npm install`, the package's preinstall script (preinstall.js) collects the installer's hostname, OS username, current working directory, and a timestamp, then sends them to two attacker-style out-of-band endpoints: a DNS lookup of a subdomain under `oast.fun` (an Interactsh-style callback service) constructed from the installer's identifiers, and an HTTPS POST of a JSON payload to a `webhook.site` URL. The package itself provides no functionality — it is a high-version (99.0.1) namespace-confusion lure against an internal `@aonunited/angular` package, designed so that any environment whose resolver picks the public registry copy will auto-execute the beacon. Although the metadata describes this as authorized HackerOne VDP research, the package is published to the public npm registry, so any developer or build system that installs or mistypes it leaks host fingerprints to third-party infrastructure without consent. ## Source: ghsa-malware (edcefa4f7ecdb8b1bf87735af2b0de89a74794dda4d8fbac66b99eaa7914d861) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. ## Source: ossf-package-analysis (411e19a999b3354e6b5ad40e6da82882c1bf314a35d722ade7b3e23eb9c4a46c) The OpenSSF Package Analysis project identified '@aonunited/angular' @ 99.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
Decision reason
OpenSSF Malicious Packages via OSV confirms @aonunited/angular@99.0.1 as malicious (MAL-2026-5150): Malicious code in @aonunited/angular (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory